cvedb.io
CVE-2026-33320
MEDIUM · CVSS 6.2
EPSS exploitation probability: 0%
Published 2026-03-24T01:17:02.203 · Last modified 2026-06-17T10:37:19.127

Summary

Dasel is a command-line tool and library for querying, modifying, and transforming data structures. Starting in version 3.0.0 and prior to version 3.3.1, Dasel's YAML reader allows an attacker who can supply YAML for processing to trigger extreme CPU and memory consumption. The issue is in the library's own `UnmarshalYAML` implementation, which manually resolves alias nodes by recursively following `yaml.Node.Alias` pointers without any expansion budget, bypassing go-yaml v4's built-in alias expansion limit. Version 3.3.2 contains a patch for the issue.

Affected products

tomwright — dasel

Does this affect you?

Add your gear to cvedb and we'll alert you only when tomwright ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.